GrapheneOS: Privacy, Security & Comparison

Posted on By greys3c

The question of privacy and security (or lack thereof) for mobile devices has enjoyed a position as the baseline of the news cycles for many years. Whether it’s stories of the FBI tracking Trump supporters through the Parler mobile application during the Stop The Steal Rally of 2020, the NSO group’s technology solutions being used to track Jamal Khashoggi, or data fusion companies listing phones as their main source of information; the intrusive nature of Google and iPhone devices is well documented and practically unavoidable at this point.

As a professional privacy, vulnerability and OSINT analysts, we’re often asked our advice on which phone is ‘safe’ to use and why. Is iPhone safer than Android, or vice versa? How do I mitigate my digital or metadata footprint at the point of collection and reduce my attack surface to both passive and targeted attackers?

In this post, I will provide an overview of GrapheneOS, its features, user experience and attempt to distill the technical information listed on their website down to a message more palatable to the average phone user. I will also compare GrapheneOS to other de-googled operating systems from a privacy and security standpoint, and present examples of threat categories (to which we are all exposed) for context. Finally, I will make recommendations for devices, applications and use based on my personal experiences, as well as those with my clients.

BLUF

Bottom Line Up Front(BLUF): GrapheneOS offers industry leading security & privacy without sacrificing the ease of user interface which android is known for; making it the operating systems of choice for privacy enthusiasts of all proficiency and skill levels. Aside from purchasing a new device, this comes at no cost to the user.

Use-Case & Scope

For my personal use-case, I was seeking an operating system and device combination which grants high levels of both privacy and security by default. Within this post, I will define ‘privacy’ as the state of being free from the knowledge and passive observation of others, and ‘security’ as freedom from risk of intrusion or denial of service.

With this, it is important to also perform a rudimentary (or at least in the back of your mind) threat analysis and ask “privacy or security from who” in order to help categorize risk. From what I’ve seen and have read, the categories of capability are typically as follows, listed in ascending order:

  1. Passive: Data fusion companies and their clients (includes law enforcement & nation state actors), breach-data collectors and low level scammers. Passive attacks seek to utilize a vulnerability before it is fixed to gain access to as many devices or information as possible.
  2. Organized Crime & Non-state Actors: This includes drug cartels like MS-13 and others, ISIS, Cuban Revolutionaries and IRA as well as Antifa & Black Lives Matter. Each has a high level of capability and resources both in-house and through consultants, and will deploy these against individuals and small groups – such as a strong MAG, church preparation groups and the like.
  3. Nation State Actors: Beyond their abilities to develop and deploy advanced persistent threats, nation states are THE largest consumers of both meta data (shown in category 1) as well as 0-Day exploits, which are system exploits that are not yet fixed by the team which maintains your system.

This overview is primarily for those seeking solutions against actors in categories 1 & 2, but also strong resilience against actors in category 3. With this said, your best bet against all categories is to take steps to mitigate your metadata and digital footprint – education of this category being the main goal of this blog. Where actors of categories 1 & 2 will rely on open-sourced information, intelligence analysis and data fusion companies; case officers within category 3 will have to exhaust these resources before applying to their Asset Manager for the use of ‘tools’ (0-days). Typically, you would have to be a fairly high profile threat to justify this.

Comparison to Other De-Googled OS

Within the De-Googled device market, there are numerous to choose from, but the main competitors are CalyxOS and LineageOS. More information on both of these can be found through the afore listed links, but here is my two cents on each and why I recommend against both.

CalyxOS

Most appealing about this OS is that it is supported for a very wide range for devices (16 at the time of this writing). However, as I compare this to other privacy centric OS, my interest starts taking hits on the home page, then eventually dies on the CalyxOS Documentation > About page, as they are offering a lot of buzzwords and alternative software (which work on any system and you source yourself on alternativeto.net), but not a lot of information or answers on how the system works or why it is private. I also found it strange that they recommend the use of Signal Messenger.

I could download and tear apart the source code, but the project hasn’t justified that level of analysis from me yet. What I will likely do in the near future (because I have to know) is install this OS to my current Pixel after I upgrade, then run it through some in depth security tests and analyze the source code.

However, judging by the documentation it seems that a Calyx is a possible candidate for the Privacy category, but mostly in your first category of threat actors (passive threats) and not as much Security.

LineageOS

This is one of the most widely used de-googled phone operating systems, whose wide adoption is likely based on a broad group of community developers using the project to build development experience they can point to on a resume. One of the problems with LineageOS is that while it does enhance the user’s privacy from the type of metadata collected by the Google operating system and Google play services are not installed by default, it does so at great cost to your device security – thereby increasing threat surface of threat actors in categories 1 through 3.

This is because Lineage lowers the devices security in many technical ways (that most people won’t want to dive into) by weakening Security Enhanced Linux(or SELinux) policies, disabling verified boot (and boot locker), it lacks proper update security and adds significant threat surface by using user debug builds – this last part meaning that anyone can update your OS system repository. There are also reports claiming that most distro’s of Lineage do not feature rollback protection, which is a measure that prevents your device from downgrading to an earlier (unsupported) version of software, where an exploit may be widely available. This would be the equivalent to walking away from a Windows 11 computer for your lunch break, then coming back to a Windows 8 desktop that’s exfil’ing your passwords.

Based on this fundamental flaw, it does not seem that Lineage should be considered for any privacy or security centric strategy or any of the three threat categories, and it does not matter if this is a WiFi only tablet.

GrapheneOS Overview

Like the Calyx and Lineage operating systems, GrapheneOS is based on Android and thus benefits from Google’s team in many ways. Now as a disclaimer, I would love to go into the security & privacy features at a granular level, but will refrain from that here, as I intended this post as an overview.

Security

A zeroday (or 0-day) vulnerability is a system exploit which has been discovered but no patched – or has been patches for 0-days. To my knowledge, all operating systems, anti-virus software and manage service providers rely on a whack-a-mole type defense model which seeks to detect and patch vulnerabilities after they are discovered but before they infect every single device under management. Google’s Project Zero is a prime example of one such group, and a leader in this field of research.

While this model makes the world more difficult for hackers and independent exploit developers in the long run, it does little to nothing to protect the first several thousands (or even hundreds of thousands) of devices from infection. This is not uncommon today, as 0-day exploits have become more wide spread in their use than many people would know. For this reason, GrapheneOS is heavily focused on protecting users from attackers who develop and deploy 0-day vulnerabilities. This makes them unique among other de-googled OS options and is accomplished through a multi-layer defense strategy:

  • First Line: The first line of defense is attack surface reduction, which is accomplished by removing unnecessary code and areas of exposed attack surface, which eliminates many vulnerabilities completely. In this sector, GrapheneOS does not leave any loose ends for future development, as many of the other alternatives OS do.
  • Second Line: The second line of defense adds to the hard work done by Google and Project Zero through patching and by avoiding known bugs through strong exploit mitigation techniques and tools.
  • Third Line: Improved Sandboxing, which are highly effective at protecting applications from being used as a point of entry for an entire system. GrapheneOS goes the extra mile by sandboxing separate windows and tabs (ie. your browser)
  • Fourth Line: Persistence mitigation and detection. This prevents an attacker from persistent their control of a component (or entire OS) through verified boot.

More information on GrapheneOS defense against zero-days, known and unknown vulnerabilities and their privacy measure can be found on their webpage: https://grapheneos.org/features#exploit-protection. I encourage every security & privacy enthusiast to dig around on this page – especially if on the fence about which OS to go with for your phone.

There are also a huge number of permission toggles which actually work. A few that I’ve tested were the USB accessories and WiFi Privacy toggles. The first I tested with my O.MG cable (by @_MG_), which has worked against my wife’s Motorola with the same permission disabled. With the GrapheneOS phone, my payload was not successfully deployed, which I verified by FTP’ing into my server and seeing that no new attempts were made to call home.

The Second, which is related to GrapheneOS Closed Device Identifier Leaks, I tested with nmap and Metaploit and was not very fruitful. Even with the IP address known (it was originally hidden so I cheated) neither tool would help me determine the device operating system and could not find a vulnerability as a result. I found this very interesting because while active on other systems, this setting will normally only hide the device’s IP from a passive scan, but not the operating system or device type itself. As a comparison to my wife’s Windows 11 computer and other mobile devices, I am able to locate the device on the network and then find a number of exploits quickly. What this means is that unlike the Windows 11 computer (and many other operating systems), the GrapheneOS phone will not be quick work for a script kitty.

The last (but certainly not least) features that I will mention in this post is GrapheneOS secure application spawning, which drastically mitigates the user’s threat surface from vulnerabilities within their applications. If a researcher develops a vulnerability for something like Signal r Telegram (threat categories 1 & 3), there will be little that they could to leverage this to compromise the GrapheneOS phone.

Privacy

With regards to privacy, the GrapheneOS team deviates from other de-googled projects in several meaningful ways as not only a healthy bi-product of their security controls, but also in ways which mitigate or stop your phone and apps form broadcasting metadata. Listed below are some that were at the top of my list, as they would make the data collected by data fusion companies more difficult to come by:

  • Permission Toggles: The user can set master rules that enable or disable permission sets across every application. These can be fine-tuned within each individual app and they actually work – unlike the Apple and Google based phones (LineageOS included) where numerous reports have surfaced that the company treats these toggles as ‘requests’ more than ‘rules’. The limited Testing I’ve performed was through WireShark and my DNS provider.
  • WiFi Privacy: Per connection MAC randomization is enabled by default, making it more difficult to establish patterns of life by the device operator. It also makes pentesting much more difficult, which I mention above.
  • Private Photos: While wearing my OSINT Analyst hat, one of the first actions I take as a new photo comes across my desk is an EXIF scan to catalog detailed information about device, date/time & zone offset, OS & version, MAC and more. GrapheneOS excludes much of this by default, but I still recommend an EXIF ‘cleaning’ app or program.
  • Memory Compartmentalization: Highly Restricted Storage Scopes: Users can enable Storage Scopes to grant the requested permissions in a highly restricted mode where the app can create files/directories in the user’s home directory but can only access the files it has created itself.
  • Google Play: Google play is not installed by default, but can be if the user so chooses. Unlike LineagOS, GrapheneOS automatically sandboxes Google Play and Google Play Services in a way which stops it from collecting use information from the rest of the system, then exporting it to Google.

With these features, the primary source of metadata printing in the average user’s life (being their phone) has been drastically reduced. However, if the user decides to install Google Play and the applications used on their old devices (specifically banking and social media), they will slowly erode this strong baseline of privacy provided. Remember that behavior is the strongest deterrent to threats of all three categories mentioned in the Use-Case.

User Experience

On the surface, it acts and feels much like any other android or touch screen phone, meaning that the learning curve will be flat for any user. Its GUI is based on Android so it acts in a smooth and elegant way, which is not at all what most would expect for a secure operating system. This said, the sandboxing will eventually use a lot of your systems resources, so a decline in overall performance my eventually result from the user not shutting down applications not in use.

In terms of functionality, the primary difference is how the user installs mobile applications. For example, there is no Google Play Store or Play Services. For software, you can either directly install the desired app’s Android Package(APK) from the server (which is what most do for Signal) or you can use the F-Droid repository. For those whom are not familiar, F-Droid is an installable catalog of Free and Open Source Software(FOSS) applications for Android based systems. F-Droid works in a similar manner ass Google Play, but only features FOSS applications and does not require parallel services running to shuttle information or updates.

Another option is to get the Aurora store for Android, which allows your to install apps from the Google play store. Personally, I would not do this with GrapheneOS for a several reason but mainly because the OS comes without Google play services (for good reason) and this is not added by the Aurora store – so many of the services that your Play Store apps depend on, will not work properly on GrapheneOS but the risk of a potential security or privacy vulnerability. My other considerations are around metadata collection and user privacy mentioned above.

Recommended Devices

Google Pixel 7 Shown above

I was highly skeptical of the project when I started experimenting with it more than 4 years ago; so I bought the cheapest phone that the project supported, expecting GrapheneOS to operate in a way which would not earn my endorsement (to say the least). Yet here I am today, still using the same the phone and still averaging more than 68 hours between charges with only ~30% of the 125 GB drive in use.

My next device will likely be the Pixel 6, Pixel 6 Pro or higher as I plan to use GrapheneOS as my daily driver for many years and both of these models offer a significant battery upgrade, as well as wireless charging. According the team with GrapheneOS, the newer models will likely receive the longest term support. At the time of this writing, GrapheneOS is supported for the following phones:

My recommendation to my clients (and readers) is to go for the newer devices if budget allows, as the GrapheneOS team is likely to support them for many years into the future. You could purchase a less expensive model (like the Pixel 4a) but you will likely be looking for an upgrade to a newer model in the near future as the support for this device ends.

Installation Process

The GrapheneOS team has created two methods for installation: The WebUSB-Based installer and command-line installation. While the first method is recommended by development team for “most users” it only works through Google based browsers, such as Chrome and Brave. I will not discourage you from taking this route, but I will point out that this is a privacy flaw for many – including myself.

The Command-line installation method is extremely easy to follow and the team has created copy/paste commands for your terminal, making it about as easy as the WebUSB-Based installer. If you followed along with my Hidden Web Page: Raspberry Pi project, then this should be a breeze for you.

Recommended Use

The GrapheneOS & Pixel combination receives my recommendation as a daily driver, but only with the proper use. Remember that this phone is “hardened” but neither “invincible” or “invisible” so your behavior on it will be the determinate factor in your overall security and privacy postures.

Do not Purchase a Phone with GrapheneOS Pre-Loaded

Many readers who are light in the computer field skills are probably inclined to seek a managed solution – ex. Purchase a pixel device with GrapheneOS pre-loaded on it. My recommendation is against this for two reasons: First is that the Graphene team has simplified installation to the point akin to setting the clock on your microwave. You can do this!

The second (and main) reason is that when you purchase a pre-loaded phone from a third party, you are putting your trust into that party to not install malware, key loggers, have an active backdoor or some 0-day into the phone. If I were an access broker, or someone who sells information to access devices and networks to organized hacker rings, I would definitely sell these pre-loaded GrapheneOS devices on the Amazon marketplace, because my customers are likely those with information or assets they believe they need to secure.

Further, the Auditor app only checks that the OS has not been tampered with, meaning that it is not likely to have the ability to detect malicious software(s) installed in parallel.

Recommended Applications

The following are my generic app recommendations for every use-case I’ve run into or have been consulted on:

  • Your VPN of choice: I’m using ProtonVPN which is FOSS, unlike the mail client for some reason.
  • Briar Privacy Messenger
  • KeePassDX – Mobile version of KeePassXC password manager
  • Tor Browser – by The Guardian Project
  • Aegis 2FA
  • OsmAnd – Offline maps & navigation
  • Notally – Basic Note taking app
  • ObscuraCam – by The Guardian Project

Compartmentalization is Key

Mobile applications have brought unparalleled convenience to our lives, but at the cost of unparalleled levels of intrusion of our privacy. Examples of applications which are notorious for collecting data on their users are as follows:

  • Social media applications
  • Banking & other Financial apps
  • Mobile Email clients
  • Games
  • Online Navigation (such as google maps)
  • Many camera applications

Because of this, I recommend that every user keeps work, financial, email and social media use to your computer, as there are many more measures that can be taken to mitigate (or remove entirely) these sources ability to collect information.

Conclusion

If you like GrapheneOS, be sure to show the development team your appreciation for all of their hard work through their donation page – but do it with Monero(XMR), as theirs is the Bitcoin address that I used as an example in my post on Crypto Currencies & Privacy.

In the future I will publish my findings on how GrapheneOS held up against penetration techniques, which I will update here and on social media. In the mean time, I hope that you took something useful away from this post and that you will feel free to reach out through the Contact form here or through your social media of choice. If you have any questions, ideas or want to bounce a specific use-case off the wall, I’d love to hear from you.

Privacy, Security Tags:, , , , , , , ,